Field of the Invention
The present invention relates generally to data networks, and more particularly to policy based data networks.
Description of the Related Art
The approaches described in this section could be pursued but are not necessarily approaches that have previously been conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Data networks such as the Internet, enterprise data networks, mobile broadband networks, cloud networks, have become an integral part of our lives. We use applications over data networks to obtain news, gather product information, reserve a table for dinner, submit a payment, purchase a good, read a book, find a map, make or receive phone calls, conduct or join a conferencing event, participate in a meeting, work on a document, approve a promotion, chat with a friend, watch television and videos, book a plane ticket, and do many other things in our normal lifestyle or work style. Corporate computers use applications over data network for business transactions, factory control, corporate voice and telephony services, inventory, fleet management and many other business uses.
Typically a client computer requests a service from a network application being served by a server computer. The communication session between the client computer and the server computer passes through a data network. Often, for security reasons and for load balancing purposes, network applications of certain types of communication sessions are inspected by the data network, for example, using a server load balancer (SLB), an application delivery controller (ADC), a firewall, a hypervisor application server or a media gateway. These communication sessions may include HTTP sessions, TCP sessions, and SIP sessions. In one example, a HTTP application desires to be inspected in the data network. An application proxy for the HTTP application will be deployed in a network device in the data network where the network device intercepts a communication session of the HTTP application between a client and a server serving the HTTP application. The HTTP application proxy receives data packets from the client, examines the client data, performs a TCP/IP layer security control, performs a HTTP protocol layer security control, performs additional security and service processing specific to the HTTP application, and finally sends the client data, perhaps modified based on the above mentioned processing, to the server. On the reverse path, the HTTP application proxy receives data from the server and applies similar processing before sending the server data, modified when necessary, to the client. The HTTP application proxy needs to handle any data buffer management, and any necessary security handling associated with the HTTP application and the underlying protocol layers.
In another example, a network device performs a SIP application proxy for a Voice Over IP (VoIP) and media application, where the network device provides security and traffic policy services to enhance the VoIP and media application.
Typically, each network application proxy behaves similarly in deployment. When the number of network application proxies deployed in a network device increases, there may be redundant effort in the handling of application proxies. Also, the handling of proxies among the different application proxies may be inconsistent, leading sometimes to undesirable behavior of the network device.
Thus, there is a need to provide a common network proxy layer to offer a consistent and efficient mechanism for network application proxies.